SSL Offloading for inbound connection

Reply
L1 Bithead

SSL Offloading for inbound connection

We have few legacy internal applications listening on a various TCP ports. Now we have a requirement to connect to these applications from a cloud vendor externally. There is no option to setup a site-to-site IPSec VPN tunnel to the cloud so we need to expose this server to internet securly. Can Palo alto act as a proxy for inbound traffic hosting the CA cerificate for the internal applications, decrypt and and send the decrypted packet to the internal server? Any documentation with configuration steps?

 

Tags (1)
L7 Applicator

Re: SSL Offloading for inbound connection

Hi @ganees

 

This does not sound like a job for paloalto. The better choice would be a reverse proxy like a Citrix Netscaler. Of course also an Apache or nginx webserver can be configured to do this job. Or a Kemp Loadmaster which (depending ond the bandwith you need) is also available for free: https://freeloadbalancer.com

L4 Transporter

Re: SSL Offloading for inbound connection

Not sure if the SSL Decryption Broker feature coming in PanOS 8.1 will allow this.

 

I'm intrigued to find out myself, especially if there is a simple load balancer feature in it.

L1 Bithead

Re: SSL Offloading for inbound connection

Thanks for your response. I thought the same but was curious if Palo can do it. 

L7 Applicator

Re: SSL Offloading for inbound connection

The decryption broker feature is intended to share decrypted content with other appliances (e.g. for DLP). But the idea is to keep the content encrypted as it goes through the network and not to terminate the decryption and forward the connection unencrypted.
Edit: between the palo and the third party appliance the traffic is sent back ond forth in cleartext. But this does not change the fact that after the traffic gets back to the palo firewall it will be re-encrypted.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!